With two lockscreen holes and a fingerprint sensor that can be fooled with woodglue, we thought we'd given diehard iPhone fans a horse that was already dangerously high enough for them not to get down from. [I think you have mixed more than a metaphor there, Ed.]

For example, we chose not to cover the fact that the New York Police Department were handing out flyers over the weekend advising residents of the Big Apple to take Even Bigger Apple's advice, and to upgrade to iOS 7 as soon as possible for security reasons.

We're weren't entirely sure that we agreed with New York's Finest there, not least because we'd already gone so far as to suggest that you might want to consider sticking at iOS 6.1.3 until the lockscreen holes were fixed.

But we didn't want to enter a public wrangle with a concept we agree with strongly in principle.

Cybersecurity is important to and for everybody, not only for privacy reasons, but also as an aspect of crime prevention, so it is great to see beat cops trying to get people interested in it.

Hoewever, as you've no doubt noticed, this is another Apple iOS 7 story, and it's yet another tale of woe at the lockscreen.

All about Siri

With Naked Security readers saying to us, "Ha! Did you hear about Siri?", we could hardly let this one go.

We've written before about Siri, Apple's voice control system.

Firstly, we covered Siri because Apple avoided the limitations of the voice-processing power of your handset by uploading your mumblings to its own servers, doing the processing in some stadium-sized data centre somewhere.

The company also retained both your audio data and transcripts of what you said "for a period of time" so that Apple could "generally improve" its products and services.

IBM famously banned Siri precisely because it didn't want unspecified transcripts of employees' musings lying around at Apple, and with all the recent fuss about internet surveillance, that may have been a prescient move.

Secondly, we covered Siri because of lockscreen problems, where locking crooks out of the keyboard and the touch interface didn't stop them asking your phone to bypass its own security.

Seems like déjà vu all over again.

There's a video going around, for example, from a company called Cenzik, apparently showing Siri blocking a Facebook post with a feminine-sounding equivalent of HAL's infamous "I'm sorry, Dave, I'm afraid I can't do that" from 2001, A Space Odyssey.

But immediately afterwards, following some modest Home button "hacking" (a feat that seems to be no more complex that holding the Home button down for a while) Siri complies politely and quickly with an almost identical request.

And a Naked Security commentator suggests:

Industry reaction has been interesting, with one publication actually using the words "access is limited," as though there were little cause for concern, before confirming that the "limitations" apparently don't prevent you sending email, or posting to the user's social networks.

Oh, and you can call anywhere, just as you can with the "emergency call" hole.

What to do?

There's a workaround: disallow Siri from the lockscreen, by heading to Settings|General|Passcode Lock and turning off Allow access when locked for Siri. (Why, oh why, is that not the default?)

You could go one step further, of course, and follow IBM's lead by turning off Siri altogether.

There are some things that HAL's smooth-sounding stepsister just doesn't need to hear.

But if Apple is to be believed, once erased your iDevice can't be reconfigured to someone else's Apple ID, because iOS 7 locks would-be-thieves out of your device until they know your password. So as long as iCloud backup is turned on, then just restore. A workaround sure, and annoying as your little snot nosed sibling but at least your phone is your again....

Until hackers find out how to deactivate that little security feature (jailbreak anyone?)

You say.....
"Firstly, we covered Siri because Apple avoided the limitations of the voice-processing power of your handset by uploading your mumblings to its own servers, doing the processing in some stadium-sized data centre somewhere.

The company also retained both your audio data and transcripts of what you said "for a period of time" so that Apple could "generally improve" its products and services."

Google do exactly the same thing with the Android voice engine. Your voice is uploaded, processed and retained briefly.

* The Google actions you describe aren't doing "exactly the same thing" - Apple specifically announced it would hang onto your voice and the transcripts "for a period oif time." So they kept more, and for longer. Indeed, they explicitly retained the data to use again.

* I don't use the Android voice engine, and my personal approach is that it is best avoided. That's not science but viscera speaking. (I try to remove all APKs that relate to voice processing, since I have a rooted device and can do so, as a way of helping inhibit me from using it at all. I *think* I've eliminated most of it :-)

You should check to see that earlier statements still stand, as IBM's "ban" on Siri was extremely short and limited in nature. The full policy is (and has been since shortly after Siri launched over a year ago) that Siri's use on lock be disabled. It's generally a good idea to enable that feature for everyone who cares about actually locking their phone.

(comments made are my own and do not reflect the statements or stance of IBM as a whole)

The comment he replied to completely misses the obvious focus of the article, while ignoring clearly posted facts in the article and insulting the author. Comments like that don't warrant professionalism.

Point is - you have to choose to lock Siri on the lock screen. If you can dial numbers etc from a locked phone then shouldnt it be locked as standard? not left up to the user to find out this is a potential issue and do something about it?

It's not the default settings because people usually prefer convenience over security and Apple is giving them what they want. They'll want to have it this way until they're subject to a security breach, in which case they'll say it's scandalous of Apple to not have saved them with better security.

I don't want to put words in your mouth but don't you mean it's not a "bug" because you can turn it off. Whether it's a vulnerability caused by inappropriate coding or a designed feature it's still a hole.

The last time I saw something like this posted, the user was actually unlocking the 5S by holding down the button to launch Siri, which of course used the user's fingerprints. Are you sure you aren't doing the same? It isn't clear from the picture if it is a 5S...

This definitely doesn't need the iPhone to be unlocked. If the iPhone happens to have a bluetooth headset paired with it you can do the same thing without touching the phone. Just turn on the headset, it connects automatically and that triggers Siri to launch.

Now you can't just ask to read email or open the contact list but ask to send a mail and you can check for addresses.

I had my iPhone 5 hacked via Siri from an iPhone 4 which wasn't even working properly - think it was done via iTunes , but really don't know how it was done, that's all I was told apart from having to have the owners home address xx

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog